Summary of "CRAzy About Product Cybersecurity: From Compliance to Confidence"

Summary of “CRAzy About Product Cybersecurity: From Compliance to Confidence”

This video is a comprehensive stakeholder event focused on the Cyber Resilience Act (CRA), its implementation, and its impact on product cybersecurity across the European Union. The discussion covers the regulatory framework, key provisions, obligations for manufacturers and other economic operators, standardization efforts, and support mechanisms—especially for micro, small, and medium enterprises (MSMEs).

Key Technological Concepts and Product Features

Cyber Resilience Act (CRA)

EU-wide mandatory cybersecurity requirements for all products with digital elements (hardware, software, IoT devices, microchips, software libraries, operating systems).
Emphasizes security by design and security by default as non-optional baseline principles.
Applies a lifecycle approach to cybersecurity, including vulnerability management and patching obligations.
Introduces CE marking to signal compliance after conformity assessment.
Includes reporting obligations for actively exploited vulnerabilities and severe incidents via a single reporting platform managed by ENISA.

Scope and Coverage

Broad scope covering entire supply chain components, not just finished products.
Excludes non-commercial products, standalone software-as-a-service (SaaS) unless linked to a product with digital elements (remote data processing), and products covered by other sectoral legislation (e.g., medical devices).
Introduces a new legal category: open source software stewards, addressing open source compliance complexities.

Conformity Assessment Regime

Risk-based approach with different product categories: default, important (class 1 and 2), and critical products.
Self-assessment allowed for default and some important products if harmonized standards are applied.
Third-party conformity assessment bodies (notified bodies) mandatory for critical and some important products.
Market surveillance and enforcement are national responsibilities coordinated at the EU level.

Standardization and Harmonized Standards

Harmonized standards are voluntary but provide presumption of conformity benefits.
Standards cover horizontal (product-agnostic) and vertical (product-specific) aspects, prioritizing important and critical product categories.
Key standards under development include:
- Type A: Common risk-based framework (expected August 2026)
- Type B: Vulnerability handling and technical measures (August 2026)
- Type C: Product-specific standards (October 2026) for password managers, antivirus, routers, smart cards, etc.
European Standardization Organizations involved: CEN, CENELEC, ETSI.
Open consultations and deep-dive sessions encourage stakeholder participation.

Implementation and Support

CRA entered into force in December 2022; transition period ongoing with core obligations starting December 2027.
Reporting obligations begin September 2026.
The Commission launched a dedicated CRA implementation website with FAQs and guidance.
Additional guidance and delegated acts forthcoming, including on reporting, spare parts, and interplay with other legislation (AI Act, DORA).
Coordination among EU bodies: European Commission (DG CONNECT), ENISA, European Cybersecurity Competence Center, Member States, standardization bodies, and businesses.

Focus on MSMEs

MSMEs make up over 90% of EU businesses and are key stakeholders impacted by CRA.
CRA adopts a proportionate, risk-based approach to accommodate MSME capabilities.
Support measures include:
- Training, communication channels, and regulatory sandboxes at Member State level.
- Simplified technical documentation and financial support under the Digital Europe Program.
EU-funded projects supporting MSMEs:
- Cyberstand.eu: Coordination and support action providing funding (~€1.5M) to enable MSMEs and individuals (including women) to participate in standardization activities and raise awareness.
- SECURE Project: Cascading funding calls starting January 2026, offering grants up to €60,000 to MSMEs for CRA compliance activities including vulnerability testing, penetration testing, and compliance mode support.
Projects coordinate to ensure tools and guidelines are aligned, user-friendly, and accessible.

Reviews, Guides, and Tutorials Provided

Overview presentations on CRA provisions, scope, and obligations.
Detailed explanation of conformity assessment procedures and risk-based product categories.
Guidance on the role and voluntary nature of harmonized standards, with timelines for availability.
Clarifications on reporting obligations and use of the single reporting platform.
Insights into supply chain responsibilities and due diligence requirements.
Introduction to EU-funded projects offering financial and technical support to MSMEs for CRA compliance.
Open consultations and public inquiries to gather stakeholder input on standards development.
Announcement of a CRA implementation website with comprehensive FAQs and resource links.
Emphasis on the importance of stakeholder engagement, including manufacturers, standardization bodies, and MSMEs.

Main Speakers / Sources

Christristiana Kirkade de Viron – Director, DG CONNECT Unit for Cybersecurity Policy
Micah (Moderator) – DG CONNECT
Tomaso Bernabu – CRA Implementation Team, DG CONNECT
Luis Miguel – Expert on Conformity Assessment, DG CONNECT
Kami – CRA Standardization Lead, DG CONNECT
Lucia Lanfrey – Project Management Manager, CEN/CENELEC
Kim Nordstrom – Technical Officer, ETSI
Chaba – MSME Support, DG CONNECT
Nick Ferguson – Coordinator, Cyberstand.eu Project
Danilo Deia – Coordinator, SECURE Project, Italian Cyber Security Agency
Stefanuk – Head of Unit, DG CONNECT (Closing remarks)

Summary Takeaways

Security by Design is mandatory under the CRA and applies to all products with digital elements placed on the EU market.
Cooperation and stakeholder engagement across manufacturers, suppliers, standardization bodies, and authorities are essential for successful implementation.
MSMEs receive special attention and support via guidance, financial aid, and simplified compliance paths to ensure broad adoption and compliance.
Harmonized standards will play a critical role but remain voluntary, providing a streamlined path to demonstrate compliance.
The CRA represents a major regulatory shift aiming to enhance cybersecurity, trust, and innovation in Europe’s digital single market with global implications.

This event serves as a foundational guide for stakeholders to understand the CRA’s requirements, upcoming milestones, and available support resources, promoting a culture of cybersecurity beyond mere compliance.